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A SYSTEM FOR CONTROLLING THE DISTRIBUTION AND USE OF 
RENDERED DIGITAL WORKS THROUGH WATERMARKING 

Field of the Invention 

The present invention relates to the field of distribution and usage rights 
5 enforcement for digitally encoded works, and in particular to identification of non- 
authorized copies of digitally encoded woi1<s that have been rendered. 

Background of the Invention 

Pending U.S. Patent application serial no. 08/344, 042 filed November 29, 
1996, incorporated herein by reference, describes a system which provides for 
10 the secure and accounted for distribution of digitally encoded works (hereinafter 
digital works). However, once a digital work leaves the digital domain, e.g. it is 
printed out. played or otherwise rendered, it is not longer secure and can be 
subjected to unauthorized copying. This is a problem for all rendered digital 
works. 

15 Two known techniques for protecting digital works by imparting 

information onto the digital document are Vatemiarking" and "^ngerprinting". 
The term watemiark historically refers to a translucent design impressed on 
paper during manufacture which is visible when the paper is held to the light. 
Because watermarks are impressed using combinations of water, heat, and 

20 pressure, they are not easy to add or alter outside of the paper factory. 
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Watermarks are used in making letterheads and are intended to indicate source 
and that a document is authentic and original and not a reproduction. 

One technique for creating such a watermark when a digital work is 
printed is described in U,S, Patent No. 5, 530, 759 entitled "Color Correct Digital 
5 Watermarking of Images" issued June 25, 1996. In this approach the watermark 
image is combined with the digital image to created the watermarked image. 
The watemnark image acts as a template to change the chromaclty of 
corresponding pixels in the digital image thus creating the watermark. In any 
event, these notices server as social reminders to people to not make 
10 photocopies. 

The term watemiark is^now used to^ver a wide range of technologies for 
marking rendered works, including text, digital pictures, and digital audio with 
infonnation that identifies the work or the publisher. Some watermarks are 
noticeable to people and some are hidden. In some kinds of watenmarks, the 
15 embedded information is human readable, but in other kinds the infonnation can 
only be read by computers. 

The term fingerprint Is sometimes used in contrast with watenmarks to 
refer to marks that carry information about the end user or rendering event rather 
than the document or publisher. These mart<s are called "fingerprints" because 
20 they can be used to trace the source of a copy back to a person or computer that 
rendered the original. 
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The same technologies and kinds of marks can be used to carry both 
watemnark and fingerprint information. In practice, it is not only possible but 
often desirable and convenient to combine both kinds of infomfiation — for 
watermarks and fingerprints — in a single mark. 

5 With respect to paper based documents, the simplest approach to 

providing a mark is a graphical symbol or printed notice that appears on each 
page. This is analogous to a copyright notice. Such notices can be provided by 
the publisher in the document source or added later by a printer. These notices 
serve as social reminders to people to not make photocopies. 

10 Other approaches hide information in the grey codes (or intensity) on a 

page. Although in principle such approaches can embed data in greycode fonts, 
their main application so far has been for embedding data in photographs. One 
set of approaches is described by Cox et al. in a publication entitled ''Secure 
spread spectrum watemiarking for Multimedia", NEC Research Institute 

15 Technical Report 95-10, NEC Research Institute, Princeton, NJ 08540. To 
decode data encoded in the approached described by Cox et al. requires 
comparing the encoded picture with the original to find the differences. The 
advantage of these approaches is that they can embed the data in such a way 
that it is very difficult to remove, not only by mechanical means but also by 

20 computational means. 

As described above, watennarks need not be perceptible to the viewer. 
For example, one technique is to embed data in the white space of a document. 
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An example of this kind of approach was described by Brassll, et al. In a 
publication entitled "Electronic marking and identification techniques to 
discourage document copying", IEEE Journal on Selected Areas in 
Communications, Vol. 13, No. 8 pages 1495-1504, October 1995. The idea is to 
5 slightly vary the spacing of letters and lines in a digital work. The advantages of 
this approach are that it is not visible and is hard to remove. The disadvantage 
is that it has a very limited capacity for carrying data - only a few bytes per page. 

Another watemiarking scheme for use In digital works representing 
images is available from the Digimarc Corporation. The Digimarc watemiark is 

10 invisible and is used to convey ownership information relating to the image. 
From the Digimarc World Web Page describing their technology (URL 
http://www.digimarc.com/wt _j)age.html): "A Digimarc watermark imitates naturally 
occurring Image variations and is placed throughout the image such that It 
cannot be perceived. To further hide the watermark, the Digimarc watenmarking 

15 process is perceptually adaptive - meaning it automatically varies the intensity of 
the watemnari< in order to remain invisible in both flat and detailed areas of an 
image." Reading of the Digimarc watemrjark is through a Digimarc reader which 
can extract the watermark from the image. 

Other prior art relating to embedding data in a print medium includes 
20 Daniele, U.S. Patent No. 5, 444, 779, on "Electronic Copyright Royalty 

Accounting System for Using Glyphs", which discloses a system for utilizing a 
printable, yet unobtrusive glyph or similar two-dimensionally encoded mark to 
identify copyrighted documents. Upon attempting to reproduce such a 
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document, a glyph is detected, decoded and used to accurately collect and/or 
record a copyright royalty for the reproduction of the document or to prevent 
such reproduction. Furthermore, the glyph may also include additional 
information so as to enable an electronic copyright royalty accounting system, 
5 capable of interpreting the encoded information to track and/or account for 
copyright royalties which accrue during reproduction of all or portions of the 
original document. 

Summary of the Invention 

A trusted rendering system for use in a system for controlling the 
10 distribution and use of digital wori<s is disclosed. The currently preferred 
embodiment of the present invention is implemented as a trusted printer. 
However, the description thereof applies to any rendering device. A trusted 
printer facilitates the protection of printed documents which have been printed 
from a system which controls the distribution and use of digital wori<s. The 
15 system for controlling distribution and use of digital works provides for attaching 
persistent usage rights to a digital wori<. Digital works are transferred in 
encrypted fonm between repositories. The repositories are used to request and 
grant access to digital works. Such repositories are also coupled to credit 
servers which provide for payment of any fees incurred as a result of accessing a 
20 digital wori<. 

The present invention extends the existing capabilities of the system for 
controlling distribution and use of digital works to provide a measure of protection 
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when a document is printed. The present invention adds to the system the ability 
to include watermark information to a document when it is rendered (i.e. a Print 
right associated with the document is exercised). In the currently preferred 
embodiment of a trusted printer, the watermark is visible. However, other 

5 "invisible" watemnarking technologies may also be used. The watermark data 
typically provides infomnation relating to the owner of a document, the rights 
associated with that copy of the document and infomiation relating to the 
rendering event (e.g. when and where the document was printed). This 
infomnation will typically aid in deterring or preventing unauthorized copying of 

10 the rendered work. It is worth noting that the present invention further provides 
for multiple types of watennarks to be provided on the same digital work. 

Specification of the watermark information is preferably added to a 
document at the time of assigning render or play rights to the digital work. With 
respect to printed digital works, at the time of page layout special watemnartc 

15 characters are positioned on the document. When the document is printed, a 
dynamically generated watenmark font is created which contains the watermark 
information specified In the print right. The font of the watermark characters are 
changed to the dynamically generated watemnaric font. The dynamically 
generated watemnark font is created using an embedded data technology such 

20 as the glyph technology developed by the Xerox Corporation and described in 
U.S. Patent no. 5,486,686 entitled "Hardcopy Lossless Data Storage and 
Communications For Electronic Document Processing Systems", which is 
assigned to the same assignee as the present application. 
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Brief Description of the Drawings 

Figure 1 is a block diagram illustrating the basic interaction between 
repository types in a system for controlling the distribution and use of digital 
works in the currently preferred embodiment of the present invention, 

5 Figure 2 is an illustration of a repository coupled to a credit server for 

reporting usage fees as may be used in a system for controlling the distribution 
and use of digital works in the currently preferred embodiment of the present 
invention. 

Figure 3a is an illustration of a printer as a rendering system as may be 
10 utilized in a system for controlling the distribution and use of digital works in the 
5 currently preferred embodiment of the present Invention. 

Figure 3b is ^ block diagram illustratingjlhe functional elements of a 

^ trusted printer repository in the currently preferred embodiment of the present 
invention. 

15 Figure 4 is a flowchart of the basic steps for digital wori< creation for 

printing on a trusted printer as may be performed in the currently preferred 
embodiment of the present invention. 

Figure 5 is an illustration of a usage rights specification for a digital wori< 
that may be printed on a user's trusted printer in the currently preferred 
20 embodiment of the present invention. 
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Figure 6 is an illustration of a usage rights specification for a digital work 
that may only be printed on a shared trusted printer residing on a network in the 
currently preferred embodiment of the present invention. 

Figure 7 is an illustration of a printed page having a glyph encoded 
5 watermark. 

Figure 8 is an illustration of a set of sample embedded data boxes having 
different storage capacities as may be used as watermark characters of a 
watennark font set in the currently preferred embodiment of the present 
invention. 

10 Figure 9 is an illustration of a print right having the watennark infonnation 

specified as may be used set in the currently preferred embodiment of the 
present invention. 

Figure 10 is a flowchart summarizing the basic steps for a creator to 
cause watemnarks to be placed in their documents as may be perfomied in the 
15 currently preferred embodiment of the present invention. 

Figure 11 is a flowchart of the steps required for printing a document as 
may be performed in the currently preferred embodiment of the present 
invention. 
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Figure 12 is a flowchart outlining the basic steps for extracting the 
embedded data as may be perfomned in the currently preferred embodiment of 
the present invention. 

Figure 13 is an illustration of an implementation of the present invention 
as a trust box coupled to a computer based system. 

Figure 14 is a flowchart illustrating the steps involved in printing a digital 
work using the trust box implementation of Figure 13. 

Figure 15 is an illustration of an implementation of the present invention 
as a printer server. 

Figure 16 is a flowchart illustrating the steps involved in printing a digital 
work using the printer server implementation of Figure 15. 
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Detailed Description of the Invention 

A trusted rendering device for minimizing the risk of unautiiorized copying 
of rendered digital works is described. Tfie risk of unautiiorized copying of digital 
documents comes from three main sources: interception of digital copies when 
5 they are transmitted (e.g.. by wiretapping or packet snooping); unauthorized use 
and rendering of digital copies remotely stored, and unauthorized copying of a 
rendered digital work. The design of trusted rendering devices described herein 
addresses all three risks. 

Trusted rendering combines four elements: a usage rights language, 
10 encrypted on-line distribution, automatic billing for copies, and digital watemiarks 
for marking copies that are rendered. 

• Usage Rights language. Content providers indicate the temns, conditions, 
and fees for printing documents in a machine-readable property rights 
language. 

15 • Encrypted Distribution. Digital works are distributed from trusted systems 
to trusted rendering devices via computer networks. To reduce the risk of 
unauthorized interception of a digital work during transmission, it is 
encrypted. Communication with the rendering system is by way of a 
challenge-response protocol that verifies the authorization and security of 

20 the rendering device. 
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Automatic Billing. To ensure a reliable income stream to content 



providers, billing of royalties is on-line and automatic. 



Watermarks. Finally, to reduce the risk of copying of rendered works, the 



rendered work is watermarked to record data about the digital work and 



5 



the rendering event. Furthermore, watemnarks are designed to make 



copies distinguishable from originals. As will be described below, 



watemnark information is specified within a rendering or play right in the 



usage rights language. 



The currently preferred embodiment of the present invention is 



10 implemented as a trusted printer. The foregoing description will be directed 
primarily to printers, but the concepts and techniques described therein apply 
equally to other types of rendering systems such as audio players, video players, 
displays or multi-media players. 

Overview of A System For Controlling the Distribution and Use of Digital Works. 

15 The currently preferred embodiment of the present invention operates in a 

system for controlling the distribution and use of digital works is as described in 
co-pending U.S. patent application serial no. 08/344, 042, entitled "System for 
Controlling the Distribution and Use of Digital Works" and which is herein 
incorporated by reference. A digital work is any written, audio, graphical or video 

20 based work including computer programs that have been translated to or created 
in a digital fomi, and which can be recreated using suitable rendering means 
such as software programs. The system allows the owner of a digital work to 
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attach usage rights to the work. The usage rights for the work define how it may 
be used and distributed. Digital works and their usage rights are stored in a 
secure repository. Digital works may only be accessed by other secure 
repositories. A repository is deemed secure if it possesses a valid identification 
5 (digital) certificate issued by a Master repository. 

The usage rights language for controlling a digital work is defined by a 
flexible and extensible usage rights grammar. The usage rights language of the 
currently preferred embodiment is provided in Appendix A. Conceptually, a right 
in the usage rights grammar is a label attached to a predetermined behavior and 

10 defines conditions to exercising the right. For example, a COPY right denotes 
that a copy of the digital work may be made. A condition to exercising the right is 
the requester must pass certain security criteria. Conditions may also be 
attached to limit the right itself. For example, a LOAN right may be defined so as 
to limit the duration of which a work may be LOANed. Conditions may also 

15 include requirements that fees be paid, 

A repository Is comprised of a storage means for storing a digital work and 
its attached usage rights, an extemal interface for receiving and transmitting 
data, a processor and a clock. A repository generally has two primary operating 
modes, a server mode and a requester mode. When operating in a sen/er 
20 mode, the repository is responding to requests to access digital works. When 
operating in requester mode, the repository is requesting access to a digital 
work. 
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Generally, a repository will process each request to access a digital work 
by examining the work's usage rights. For example, in a request to make a copy 
of a digital work, the digital work is examined to see if such "copying" rights have 
been granted, then conditions to exercise the right are checked (e.g. a right to 
5 make 2 copies). If conditions associated with the right are satisfied, the copy can 
be made. Before transporting the digital work, any specified changes to the set 
of usage rights in the copy are attached to the copy of the digital work. 

Repositories communicate utilizing a set of repository transactions. The 
I repository transactions embody a set of protocols for establishing secure session 

1 10 — connections between repositoriesr and for processing access requests to the 

S digital works> Note tha t digital w orks a nd various communications are encrypted 

111 whenever they are transferred between repositories. 

i U Digital works are rendered on rendering systems. A rendering systems is 

H comprised of at least a rendering repository and a rendering device (e.g. a 

15 printer, display or audio system). Rendering systems are internally secure. 
Access to digital wori<s not contained within the rendering repository is 
accomplished via repository transactions with an extemal repository containing 
the desired digital work. As will be described in greater detail below, the 
currently preferred embodiment of the present invention is implemented as a 
20 rendering system for printing digital worths. 

Figure 1 illustrates the basic interactions between repository types in the 
present invention. As will become apparent from Figure 1 , the various repository 
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types will serve different functions. It is fundamental that repositories will share a 
core set of functionality which will enable secure and trusted communications. 
Referring to Figure 1 , a repository 101 represents the general instance of a 
repository. The repository 101 has two modes of operations; a server mode and 
5 a requester mode. When in the server mode, the repository will be receiving and 
processing access requests to digital works. When in the requester mode, the 
repository will be initiating requests to access digital works. Repository 101 may 
communicate with a plurality of other repositories, namely authorization 
repository 102, rendering repository 103 and master repository 104. 

□ 

10 Communication between repositories occurs utilizing a repository transaction 
protocol 105. 

o 

j n Communication with an authorization repository 102 may occur when a 

Q digital work being accessed has a condition requiring an authorization. 
3 Conceptually, an authorization is a digital certificate such that possession of the 
3 15 certificate is required to gain access to the digital work. An authorization is itself 
a digital work that can be moved between repositories and subjected to fees and 
usage rights conditions. An authorization may be required by both repositories 
involved In an access to a digital work. 

Communication with a rendering repository 103 occurs in connection with 
20 the rendering of a digital wori<. As will be described in greater detail below, a 
rendering repository is coupled with a rendering device (e.g. a printer device) to 
comprise a rendering system. 
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Communication with a master repository 105 occurs in connection with 
obtaining an identification certificate. Identification certificates are the means by 
which a repository is identified as "trustworthy". The use of identification 
certificates is described below with respect to the registration transaction, 

5 Figure 2 illustrates the repository 101 coupled to a credit server 201 . The 

credit server 201 is a device which accumulates billing infomiation for the 
repository 101 , The credit server 201 communicates with repository 101 via 
billing transaction 202 to record billing transactions. Billing transactions are 
reported to a billing clearinghouse 203 by the credit server 301 on a periodic 

10 - basis^ The cr^it^erver 204 communicates to the^billing clearinghouse 203 via 
clearinghouse transaction 204. The clearinghouse transactions 204 enable a 
secure and encrypted transmission of infonrnation to the billing clearinghouse 
203. 

Rendering Systems 

15 A rendering system is generally defined as a system comprising a 

repository and a rendering device which can render a digital work into its desired 
fonm. Examples of a rendering system may be a computer system, a digital 
audio system, or a printer. In the currently preferred embodiment, the rendering 
system is a printer. In any event, a rendering system has the security features of 

20 a repository. The coupling of a rendering repository with the rendering device 
may occur in a manner suitable for the type of rendering device. 
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Figure 3a illustrates a printer as an example of a rendering system. 
Referring to Figure 3a, a printer system 301 has contained therein a printer 
repository 302 and a print device 303. It should be noted that the dashed line 
defining printer system 301 defines a secure system boundary. Communications 

5 within the boundary is assumed to be secure and in the clear (i.e. not encrypted). 
Depending on the security level, the boundary also represents a barrier intended 
to provide physical integrity. The printer repository 302 is an instantiation of the 
rendering repository 105 of Figure 1 . The printer repository 302 will in some 
instances contain an ephemeral copy of a digital work which remains until it is 

10 printed out by the print engine 303, In other instances, the printer repository 302 
may contain digital wori<s such as fonts, which will remain and be billed based on 
use. This design assures that all communication lines between printers and 
printing devices are encrypted, unless they are within a physically secure 
boundary. This design feature eliminates a potential "faulf point through which 

15 the digital wori< could be improperly obtained. The printer device 303 represents 
the printer components used to create the printed output. 

Also illustrated in Figure 3a is the repository 304. The repository 304 is 
coupled to a printer repository 302. The repository 304 represents an external 
repository which contains digital works. 

20 Figure 3b is a block diagram illustrating the functional elements of a 

trusted printer repository. Note that these functional elements also would be 
present in any rendering repository. Referring to Figure 3b, the functional 




16 



Express Mail No. EG366229809US 



embodiment is comprised of an operating system 310, core repository services 
31 1 , and print repository functions 312. The operating system 310 is specific to 
the repository and would typically depend on the type of processor being used to 
implement the repository. The operating system 1301 would also provide the 
5 basic services for controlling and interfacing between the basic components of 
the repository. 

The core repository services 31 1 comprise a set of functions required by 
each and every repository. For a trusted printer repository the core repository 
services will include engaging In a challenge response protocol to receive digital 
10 -w^rks and decryption of received digital data — 

The print repository functions 312 comprise functionality for rendering a 
work for printing as well as gathering data for and creating a digital watemiark. 
The functionality unique to a print repository will become apparent in the 
description below (particularly with respect to the flowchart of Figure 11), 

15 Basic Steps For Dioital Wori< Creation For Printing On A Trusted Printer 

Figure 4 is a flowchart illustrating the basic steps for creating a digital wori< 
that may be printed on la trusted printer so that the resulting printed document is 
also secure. Note that a number of well known implementation steps, e,g. 
encryption of digital worics, have been omitted in order to not detract from the 
20 basic steps. First, a digital woric is written, assigned usage rights including a 
print right which specifies watermark information and is deposited In repository 1 , 
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step 401 . As will be described in more detail below, the assignment of usage 
rights is accomplished through the use of a rights editor. Deposit of the digital 
work into repository 1 is an indication that it is being placed into a controlled 
system. Next, repository 1 receives a request from repository 2 for access to the 
5 digital work, step 402 and repository 1 transfers a copy of the digital work to 
repository 2, step 403. For the sake of this example, it is assumed that a 
"trusted" session between repository 1 and repository 2 has been established. 
The challenge response protocol used in this interaction is described in co- 
pending application serial no. 08/ 344, 042 and thus no further discussion on the 
10 challenge response protocol is deemed necessary. 

Repository 2 then receives a user request to print the digital work, step 
404. Repository 2 then establishes a trusted session with a printer repository of 
the printing system on which the digital work will be printed, step 405, The 
printer repository receives the encrypted digital work and determines if it has a 
15 print right, step 406. If the digital work has the print right, the printer repository 
decrypts the digital work and generates the watermark that will be printed on the 
digital work, step 407. The printer repository then transmits the decrypted digital 
work with the watermark to a printer device for printing, step 408. For example, 
the decrypted digital wori^ may be a Postscript™ file of the digital wori^. 

20 Controlling Printing With the Usage Rights Grammar 

A key concept in governing sale, distribution, and use of digital worics is 
that publishers can assign "rights" to works that specify the terms and conditions 
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of use. These rights are expressed in a rights language as described in co- 
pending application serial no. 08/344,042. The currently preferred grammar Is 
provided herein in Appendix A. It is advantageous to specify watemiark 
information within a rendering or play right within the grammar for a number of 

5 reasons. First, specification in this manner is technology independent. So 

different watermarking technologies may be used or changed without altering the 
document. Second, multiple watemnarking technologies may be applied to the 
same digital work, e.g. a visible watermarking technology and an invisible 
watermarking technology. So if the visible watermark is removed, the invisible 

10 one may remain. Third, the watermark information to be placed on the digital 
work can be associated with the rendering event, rather than the distribution 
event. Fourth, the watermark infonnation can be extended to include the entire 
distribution chain of the digital wori<. Fifth, security and watemnarking capabilities 
of aTenderirrg systefTf may^be^spedfied as~a"'^^^ This will 

15 further insure the trusted rendering of the digital wori<. 

As a result of these advantages, this type of specifying watermart< 
infonnation fully supports the Superdistribution of digital worics. Superdistributlon 
is distribution concept where every possessor of a digital woric may also be a 
distributor of the digital work, and wherein every subsequent distribution is 
20 accounted for. 

When a publisher assigns rights to a digital wori<, the usage rights enables 
them to distinguish between viewing (or playing) rights and print rights. Play 
rights are used to make ephemeral, temporary copies of a woric such as an 
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image of text on a display or the sound of music from a loudspeaker. Print rights 
are used to make durable copies, such as pages from a laser printer or audio 
recordings on a magnetic media. 

Example - Trusted Printing from a Personal Computer 

5 Figure 5 is an example of the usage rights for a digital wori< which enables 

trusted printing from a personal computer. Referring to Figure 5, various tags 
are used in for the digital wori<. The tags "Description" 501 , "Work-ID" 502 and 
"Owner" 503 provide identification information for the digital wori<. 

Usage rights are specified individually and as part of a group of rights. 

10 The Rights-Group 504 has been given a name of "Regular^. The bundle label 
provides for a fee payee designation 505 and a minimum security level 506 that 
are applied to all rights in the group. The fee payee designation 505 is used to 
indicate who will get paid upon the invocation of a right. The minimum security 
level 506 is used to indicate a minimum security level for a repository that wishes 

15 to access the associated digital work. 

The rights in the group are then specified individually. The usage rights 
specify no fee for transferring 508, deleting 509 or playing 510, but does have a 
five dollar fee for making a digital copy 507. It also has two Print rights 51 1 and 
512, both requiring a trusted printer (specified by 513) The first Print right 51 1 
20 can be exercised if the user has a particular prepaid ticket (specified by 514). 
The second print right has a flat fee of ten dollars (specified by 515). The 
example assumes that the digital vjotk can be transmitted to a user's computer 
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by exercising the Copy right, and that the user can play or print the work at his or 
her convenience using the Play and Print rights. Fees are logged from the user's 
workstation whenever a right is exercised. 

Also illustrated in Figure 5 are watermark specifications 516 and 517. The 
5 particular detail for the watermark specifications 516 and 517 is provided below 
with reference to Figure 9. 

Example - Trusted Printing to an Internet Printer 

Figure 6 illustrates a different set of rights for the same digital book. In 
this version, the publisher does not want digital delivery to be made to a 

10 consumer workstation. A practical consideration supporting this choice may be 
that the publisher wants to minimize the risk of unauthorized digital copying and 
requires a higher level of security than is provided by trusted systems on 
—available workstations.-Ji3stead^te^ be sent directly 

from an on-line bookstore to a trusted printer. Printing must be prepaid via digital 

15 tickets (see fee specification 601). To enable digital distribution to authorized 
distributors but not directly to consumers, the publisher requires that both parties 
in a Copy and Transfer right to have an authorizing digital license (see certificate 
specifications 602 and 603). Lacking such a license, a consumer can not access 
the work at a workstation. Instead, he or she must print the wori(. 

20 Also illustrated in Figure 6 is the watemiark specifications 604. The 

watermark specification 604 is described in greater detail below with respect to 
Figure 9. 
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Watermarks and Fingerprints 

Three main requirements for watennarks on trusted printers have been 
identified: 

• Social Reminder. This requirement is for a visible printed indication 

5 about whether photocopying is permitted. This could be a printed statement on 
the document or an established icon or symbol within a corporation indicating a 
security level for the document. 

• Auditing. This requirement is for a way to record information on the 
document about the printing event, such as who owns the print rights, whether 

10 photocopying is permitted, and what person or printer printed the document and 
—when the document was printedr 

• Copy Detection. This requirement is a way for differentiating between 
printed originals and photocopies. In general, this requirement involves using 
some print patterns on the page which tend to be distorted by photocopiers and 

15 scanners. For some patterns, the difference between copies and printed original 
is detectable by people; for other patterns, the difference is automatically 
detectable by a computer with a scanner. 

In the currently preferred embodiment, watenmart<s are created with 
embedded data technology such as glyph technology developed by the Xerox 
20 corporation. Glyph technology as it is used as embedded data printed on a 
medium is described in U.S. Patent no. 5,486,686 entitled "Hardcopy Lossless 
Data Storage and Communications For Electronic Document Processing 




22 



Express Mail No. EG366229809US 



9 



Systems", which is incorporated by reference herein. Using glyphs as digital 
watennarks on printed documents is described in co/pending application serial 
no, 08/734, 570 entitled "Quasi-Reprographics With Variable Embedded Data 
With Applications To Copyright Management , Distribution Control, etc.", which is 
5 assigned to the same assignee as the present application and is incorporated by 
reference herein. 

Generally, embedded data technology Is used to place machine readable 
data on a printed medium. The machine readable data typically is in a coded 
form that is difficult if not impossible for a human to read. Another example of an 
10 embedded data technology is bar codes. 

Embedded data technology can be used to carry hundreds of bits of 
embedded data per square inch in various grey patterns on a page. Preferably, 
glyphs are used because the marks representing the encoded data can be used 
to create mari<s which are more aesthetically appealing then other embedded 

15 data technologies. With careful design, glyphs can be integrated as graphical 
elements in a page layout. Glyphs can be used with any kind of document. 
Glyph watermari^s to carry document identification can be embedded by the 
publisher; while glyphs carrying data about a print event can be added to the 
watennaric at the time of printing by a printing system. Both document 

20 identification and fingerprinting data can be embedded in the same watennari^. 
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It should be noted that a disadvantage of glyphs and with all forms of 
visible and separable watennarks, is that with mechanical or computational 
effort, they can be removed from a document. 

Figure 7 illustrates an example of a document image having a glyph 
5 encoded watennark. Refemng to Figure 7, a document page 701 has various 
text 702. Also included is a glyph encoded watermark 703. Note that the 
document is not limited to text and may also include image or graphical data. 

Integrating Embedded Data As Watemnarks Into Trusted Printing Systems 

This section describes briefly how embedded data technology can be 
10 used in trusted printing systems to embed watennart<ing data. How glyphs and 
_^^_watermarkjdata-areiiandled at each stage in creating, publishing, and printing a 
document is discussed. 

It-has^een^etermined that for integrating^embedded data such as glyphs 

into trusted printing systems, the requirements include: 

15 • Document designers such as authors and publishers must be able to 
specify on a page by page basis the position and shape of watermarks, so 
that they can be incorporated into the design of the document. 

♦ The approach should be compatible with mainline document creation (e.g. 
word processing) systems. 

20 • The approach should wori< within the protocols of existing printers. 
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The approach should carry the fingerprint (or run-time) data in Usage 



Rights specifications. 



The approach should not significantly slow down printing. 



Herein the tenn media-dependent data is used to refer to information 



5 about how a watennark is located and shaped within the document content. The 
approach depends on the use of Usage Rights to express the data to be 
encoded in the watermark. 

Document Creation 

Publishers use a wide variety of tools to create documents. Different text 
10 editors or word processors provide different ways and degrees of control In 

laying out text, pictures and figures. One thing that all text editors have is a way 
to locate text on a page. In effect, this is a lowest common denominator in 
abilities for all systems. 

Exploiting this common capability provides insight about how to use 
15 glyphs to represent watermarks: 



Gyph watennarks are organized graphically as rectangular boxes. 



Different sized boxes have different capacities for carrying data. On 300 



dpi printers, about 300 bytes per Inch can be encoded in glyphs. Note 



that this can represent even more data if the original data is compressed 



20 



prior to glyph encoding. Note for greater reliability, some data may be 



repeated redundantly, trading data capacity for reliability. 
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• Each glyph watermark is represented to a document creation program as 
a character in an initial glyph watermark font. Boxes of different sizes and 
shapes are represented as different characters for the initial glyph 
watemiark font. When a digital work is printed, the encoding of the data is 
analogous to calculating and changing the watermark font. 

In practice, a designer laying out a document would open a page of a 
glyph catalog containing glyph boxes of different sizes. The glyph boxes in the 
catalog would probably contain just test data, e.g. a glyph ASCII encoding of the 
words "test pattern glyph Copyright © Xerox Corporation 1997. All Rights 
Reserved". The designer would determine ahead of time how much data he 
wants to encode per page, such as 100, 300, 500, or 1000 bytes. The designer 
would copy a "box" (actually a character) of the corresponding size into their 
document and locate it where they want it on the page, typically incorporating it 
as a design element. 

Figure 8 illustrates a set of sample watemnark characters (i.e. glyph 
boxes) having different storage capacities. An actual catalog would contain 
additional shapes and would be annotated according to the data-canying 
capacity of the glyphs. 

Note that the glyph encoded watermarks can also be placed in figures, 
since drawing programs also have the capability to locate characters on a page. 

When the creator saves their work, the document creation program writes 
a file in which characters in the glyph font are used to represent the watermarks. 
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If the creator prints the document at this stage, he will see more or less what the 
final sold versions will look like except that the test data encoded in the gray 
tones of the glyph box will later be replaced by the dynamically generated 
watermark data. 

5 Specifying Watermaric Data 

When the author or publisher gets ready to publish the work and import it 
into a system for controlling distribution use of digital works, one of the steps is to 
assign rights to the wori< using a Rights Editor. The Rights Editor is a program 
with which a document owner specifies terms and conditions of using a digital 
10 work. 

This is the point at which document identification data and also print event 
data are specified. Figure 9 illustrates the watennari< information specified for a 
priritjiight. Note that the watermark information specification is optional within 
the grammar. Referring to Figure 9, print right 901 specifies that a purchaser of 

15 the document must pay ten dollars to print the document (at fee specification 
902), The document must only be printed on a trusted printer of a given type (at 
printer specification 903). Furthemiore, the watemiari< must embed a particular 
string "Title: Moby Dog Copyright 1994 by Zeke Jones. All Rights Resen/ed" and 
also include various data about the printing event (at Watennari<-Tokens 

20 specification 904). Note that the watermari^ tokens specification are used to 
specify the *1ingerprinf infomnation associated with the printing of the digital 
wori^. Here the specified printing event data is who printed it out, the name of 
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the institution printing it out, the nanne of the printer, the location of the printer 
and the time that the digital work was printed. As will be described below, this 
information is obtained at print time. 

Figure 10 is a flowchart summarizing the basic steps for a creator to 
5 cause watermarks to be placed in their documents. As part of the layout of the 
textual document the designer detennines how much data is required by the 
watermark, step 1001 . Based on the amount of needed data, a suitable 
watermari< character (e.g. glyph box) is selected, step 1002. The watemnaric 
character is then positioned onto a page (or the pages) of the digital work, step 
10 1003. Finally, as part of the rights assignment for the digital work document, a 
print right with a watennari< specification is made, step 1004, At this point, the 
document can be viewed with the watemiark positioned in the desired place(s) 
on the document. However, the actual fingerprint and other identifying data in an 
embedded data format has not yet been created. This is created dynamically at 
15 print time as described below. 

Printing the Digital Wori< 

The next steps for the digital wort< are that it is published and distributed. 
During this process, the digital wori< is protected by the encryption and other 
security systems that are employed and the rights travel with the document. Part 
20 of this process assures that any printer or woricstation that has a copy of the 
document also has digital certificates which contain infomiation identifying the 
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trusted system, trusted printer, user, and so on (a process described in more 
detail in co-pending application serial no.08/344,042). 

Figure 1 1 is a flowchart of the steps required for printing a document. 
Referring to Figure 1 1 , at some point, a user decides to print a document, step 

5 1 101 . Typically this is done via a print command invoked through some interface 
on the users system. This opens a challenge-response protocol between the 
"user"' repository containing the document and the printer repository, step 1 102, 
During this exchange, the security and watemnark capabilities of the printer are 
checked. If the printer does not have the proper security or watermark 

10 capabilities, the digital work cannot be printed on that printer. The printer 
security level and watemnark capabilities are specified in the identification 
certificate for the printer. Assuming that the printer has the proper security levels 
and watemiaric capabilities, the "user" repository then checks that the digital wori< 
has the required print right, step 1 103* Assuming that the digital wori^ has 

15 required print right the user repository may interface with a credit server to report 
any required fees for the printing the digital work, step 1 1 04. Note that the actual 
billing for the digital woric may occur when the right is invoked either when the 
print exercised or when It can be verified that the document has been printed. 
The latter case protects the user in the situation wherein printing may become 

20 inadvertently terminated before the entire digital wori< is printed, 

A computation is then performed to gather together the infomnation to be 
embedded in the watennark and to incorporate it into a new font for the 
watermark character. First the information must be gathered from digital 



29 

Express Mail No. EG366229809US 




identification certificates belonging to the user or the trusted printer, such as 
names, locations, and the current date and time, step 1 1 05. This information is 
"printed" intemally into computer memory, creating a bitmap image of glyph 
boxes of different sizes, step 1 106. Creation and coding of glyphs is described 
5 in the aforementioned U.S. Patent no. 5,486,686, thus no further discussion on 
the encoding of glyph patterns is deemed necessary. In any event, this 
information is then assembled into a font definition, step 1 107. 

The digital work is then decrypted and downloaded into the printer, step 
1 108. When the digital work is downloaded into the printer, part of the protocol 
10 is also to download the new "revised" glyph font, which now has characters 
corresponding to glyph boxes. This font looks more or less like the one that the 
publisher used in creating the document, except that the gray codes inside the 
font boxes now embed the data that the publisher wants to appear in the 
watemiarks on the document. 

15 The printer then prints the digital work, step 1 109. When the document is 

printed, the glyphs that appear on the pages contain the desired watermark data. 

Reading The Embedded Data Contained In Tt\e Watermarii 

Figure 12 is a flowchart outlining the basic steps for extracting the 
embedded data. First, the printed document is scanned and a digital 
20 representation obtained, step 1201 . The location of the watermark and the 

corresponding embedded data is then found, step 1202. The watermark may be 
found using techniques for finding characteristic pixel patterns in the digital 
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representation of the printed document. Alternatively, a template for the 
document may have been created that could be used to quickly find the 
watermark location. In any event, the embedded data is extracted from the 
watermark and decoded, step 1203. The decoded data is then converted to a 
5 human readable form, step 1204. This may be on a display or printed out. The 
data extracted is then used to identify who and where the unauthorized 
reproduction of the digital work came from. 

Note that the means for extraction of the watermark data is dependent on 
the technology used to embed the watermark data. So while the actual 

10 extraction steps may vary, they do not cause departure from the spirit and scope 

of the present invention. 

Trusted Printer Embodiments 

In the following, two embodiments of tmsted printer implementations are 
described: desktop implementations for personal printers and print server 
15 implementations for larger workgroup and departmental printers. 

Desktop Implementations 

There is a large and growing install base of personal printers. Typically, 
such printers are connected to personal computers by serial output ports. In 
other cases, they are installed on small local area networks serving a few offices. 

20 To sen/e this mari<et a "trust box" is provided which would be positioned in 

between the personal computer and the personal printer. The "trust box" would 
act as a print repository for the trusted printer system. This is a maricet where 
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the purchase of such hardware would be justified by the convenience of digital 
delivery to the office, for those documents that publishers are unwilling to send in 
the clear (i.e. not encrypted). The cost of the trust box offsets either waiting for 
mail delivery or driving to another location to pick up trusted printer output 

5 Figure 13 is an illustration of a trust box in a computer based system. 

Referring to Figure 13, a personal computer 1301 is coupled to a network 1302. 
The personal computer 1301 itself is part of a trusted system in that it embodies 
a repository. The personal computer would receive digital works through the 
network 1302 (e.g. over the Internet). The personal computer 1301 is further 

10 coupled to trust box 1303. The communications between the repository 
contained in the personal computer 1301 and the trust box 1303 are encrypted 
for security purposes. Finally, the trust box 1303 is coupled to a printer 1304. 
The printer 1304 receives decrypted print streams for printing. 

From a conceptual perspective, the personal computer combined with the 
15 trust box and printer form a trusted system. The trust box implementation would 
woric with other system elements as Illustrated in the steps of the flowchart of 
Figure 14. 

Referring to Figure 14, the consumer contacts the distributor of digital 
works using, for example, an Intemet browser such as Netscape Navigator or 
20 Microsoft Explorer, step 1401 . For the sake of brevity, it is assumed that a 
trusted session Is established between the consumer's repository and the 
distributor's repository. Using known user interface methods, the consumer 
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selects a work from a catalog or search service, step 1402. In this example, it is 
assumed that the rights holder has associated a Print right with the document, 
and that all temis and conditions for exercising the right are met by the consumer 
and the trust box. 

5 Once a work is selected the two repositories begin a purchase 

transaction, step 1403. As described in application serial no. 08/344, 042, there 
are several variations for billing. For concreteness, it is assumed that there is a 
billing account associated with the trust box. 

Using a helper application (or equivalent), the consumer's repository 
10 sends a digital certificate to the distributor which contains the trust box's public 
key, step 1404. The certificate itself is signed by a well-known repository, such 
as the printer's manufacturer. 

The distributor repository encrypts the document using DES or some 
other encryption code, step 1405. The encryption uses a key length that is 
15 compatible with requirements of security and legal constraints. The distributor 
repository encrypts the document key In an envelope signed by the public key of 
the printer box, step 1406, The distributor repository then sends the encrypted 
document and the envelope along to the consumer's workstation. 

The personal computer stores the encrypted document in its repository 
20 along with the envelope containing the key, step 1407. 

At some point, the user decides to print the document. Using a print 
program, he issues a print request, step 1408. His personal computer contacts 
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the trust box, retrieving its identity certificate encrypted in its public key, step 
1409, It looks up the watermark infomiation in certificates from the user, the 
computer itself, and the printer, step 1410. It downloads the watermark font to 
the printer through the trust box, step 141 1 . 

5 The print program begins sending the document, one page at a time to 

the trust box, step 1412. 

The trust box contacts the printer. It decrypts the document giving the 
document key to a decryption means (e.g. an internal decryption chip), step 
1413. It transmits the document to the printer in the clear, step 1414. Note that 
10 this is one place where a digital copy could be leaked, if a printer emulator was 
plugged into the print box to act like a printer. Presumably the security level of 
the trust box is set to a value that reflects the level of risk. The document is then 
printed, step 1415. 

The trusted print box design is intended to meet several main design 
15 objectives as follows: 

Installed Base. This approach is intended to work within the current 
installed base of desktop or personal printers. Installing a trusted print box 
requires loading software and plugging standard serial cables between the 
printer, the trusted print box, and the computer. 

20 Security. The approach inhibits unauthorized photocopying through the 

use of glyph watermarks. The approach inhibits digital copying by storing digital 
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works in an encrypted form, where the consumer workstation does not have 
access to the key for decrypting the work. 

Printer Limitations. The approach assumes that the user will plug the 
trusted print box into a standard printer. The printer is assumed to not have the 
5 capability of storing extra copies of the digital work. 

Building box in Printer. Variations of this approach include incorporating 
the trusted print box into the printer itself. That variation has the advantage that 
it does not present the document in the clear along any external connectors. 

Weak Link, A weak link in this approach is that there is an external 
10 connector that transmitsTh^docuir^^ ctear Although this is beyond the 
average consumer, it would be possible to build a device that sits between the 
trusted printer box and the printer that would intercept the work in the clear. 

Billing Variations, In the version presented here, the trusted print box has 
secure storage and programs for managing billing records, A simpler version of 

15 the approach would be to keep track of all billing on-line. For example, one way 
to do this would be to have the document printing start at the time that the 
customer orders it. In this variation, the document is still sent in encrypted form 
from the publisher, through the consumer's workstation, decrypted, and sent to 
the trusted print box, to the printer. The difference is that the taisted print box no 

20 longer needs to keep billing records and that the consumer must start printing 
the document at the time that the document is ordered. 
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Software-only Variation. Another variation on the desktop printing solution 
involves only software. The consumer/client purchases the work and orders the 
right to print it once. The on-line distributor delivers the work, encrypted, one 
page at a time. The consumer workstation has a program that decrypts the page 
and sends it to the printer with watemnarks, and then requests the next page. At 
no time is a full decrypted copy available on the consumer's computer. The 
weak link in this approach is that the consumer's computer does gain access to 
copies of pages of the work in the clear. Although this would be beyond the 
average consumer, it would be possible to construct software either to mimic 
runtime decryption software or modify it to save a copy of the work, one page at 
a time. 

Printer Server Implementations 

Much of the appeal of trusted printers is to enable the safe and 
commercial printing of long documents. Such printing applications tend to 
require the speed and special features of large, shared printers rather than 
personal printers. Provided herein is an architecture for server-based trusted 
printers. 

Besides the speed and feature differences of the print engines 
themselves, there are some key differences between server-based trusted 
printers and desktop trusted printers. 

• Server-based printers store complete copies of documents in files. 
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• Server-based printers have operating systems and file systems that may 
be accessible via a network. 

♦ Sender-based printers have consoles, accessible to dedicated or walk-up 
operators depending on the installation, 

5 These basic properties of server-based printers create their own risks for 

document security which need to be addressed. In addition, since server-based 
printers tend to be high volume and expensive, it is important that the trusted 
system features not significantly slow down competitive printer perfomnance. 

From a conceptual perspective, the print server (including network 
10 services and spooling) combined with the printer forms a trusted system. 

In abstract and functional terms, the operation of the server 
implementation is similar to that of the trust box implementation. The difference 
is that the^erver performs many^of the operations of the trust box. 

There are many variations on how the print server may need to 
15 interoperate with the other system elements. For example, the transaction with 
the printer may be with the user's computer or with an on-line repository that the 
user is communicating with. In the following, the transaction is described as 
happening from a repository, although that repository may be the user's own 
computer 

20 Figure 15 is a block diagram illustrating a print server implementation. 

Referring to Figure 15, a consumer workstation 1501 is coupled to publisher 
repository 1502. The publisher repository 1502 couples directly with a spooler in 
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printer repository 1503. The spooler is responsible for scheduling and printing of 
digital works. The spooler 1503 is coupled to the printer 1504. 

The sen/er implementation would work with other system elements as 
illustrated in the steps of the flowchart of Figure 16. Referring to Figure 16, the 
repository contacts the trusted printer's server, engaging in a challenge-response 
protocol to verify that the printer Is of the right type and security level to print the 
work, step 1601. These interactions also give the printer public certificates for 
the repository and user, that are used for retrieving watemiark Information. 

The distributor encrypts the document using DES or some other code, 
using a key length that is compatible with requirements of security and legal 
constraints, step 1602. It encrypts the document key in an envelope signed by 
the public key of server, step 1603. It sends the encrypted document to the 
server, step 1604. 

Note that in some versions of this architecture, different levels of 
encryption and "scrambling" (less secure) are used on the document at different 
stages in the server. It is generally Important to protect the document in all 
places where It might be accessed by outside parties. The use of lower security 
encoding is sometimes used to avoid potentially-expensive decryption steps at 
critical stages that would slow the operation of the printer. 

In any event, the server stores the encrypted document, step 1605. At 
some point, the spooler gets ready to print the document. Before starting, It mns 
a process to create a new version of the glyph font that encodes the watermari< 
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data, step 1606. It looks up the required watermark information in its own 
certificates as well as certificates from the repository and user. 

Finally, the spooler begins imaging the document, one page at a time, 
step 1607. 



Thus, trusted rendering systems for use in a system for controlling the 
distribution and use of digital works are disclosed. While the present invention is 
described with respect to a preferred embodiment, it would be apparent to one 
skilled in the art to practice the present invention with other configurations of 
10 infomiation retrieval systems. Such alternate embodiments would not cause 
departure from the^pirit-and scope-of the-pr esent invention . 
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APPENDIX A, 
GRAMMAR FOR THE USAGE RIGHTS LANGUAGE 



work-specification -> 
(Work: 

(Rights-Language-Version: version-id) 
(Work-ID: work-id )opt 
(Description: text-description )opt 
(Owner: certificate-spec )opt 
(Parts: parts-list )op\ 

(Contents: (From: address ) (To: address ))opt 
(Copies: copy-count )opt 
(Comment: comment-str )opx 
rights-group-list ) 

parts-list -> work-id i worfc-/c/ parts-list 

copy-count -> integer-constant I unlimited 

riglits-group-list -> 

rights-group-spec rights-group-listopt 

rights-group-spec -> 

( rights-group-header rights-group-name 

bundle-specopx 

cotnnientQpx 

rights-list) 

rights-group-header -> 
Rights-Group: I 
Reference-Rights-Group: 

bundle-speC'> 

(Bundle: commentopt time-specopt access-specopt 
fee-specopt watermark-specopt) 

comment -> (Comment: comment-sti) 
rights-list -> nght rights-listopt 

right -> {right-code commentopt time-specopt access-specopt fee-specopt ) 
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right-code -> 

transport-code t 
render-code I 
derivative-work-code I 
5 file-management'Code I 

conf/£furaf/on-code 

transport-code -> transport-op-spec next-copy-rights-specopt 
transport-op'Spec -> 
10 Copy: I 

Transfer: I 

Loan: remaining-rights-specopt 
next'copy-rights-spec -> ( Next-Copy-Rights: next-set-of-rights ) 
remaining-rights-spec -> { Remammg-Rights: rights-groups-list) 
15 next-set-of-rights -> rights-to-add-specopt I rightS'tO'delete-specopt 
rights-to-add-spec -> { Add: rights-groups-list ) 
rights-to-delete-spec -> ( Delete: rights-groups-list ) 

render-code -> 
20 Play: player-specopt I 
Print: printer-specopt I 
^^pQjfXrfepQSjtojy^specdpt 

player-spec -> (Player: ce/t/y/cate-//sf)opf (Watermark: watermark-spec) opt 
25 printer-spec -> (Printer: certificate-list) opt (Watermark: watermark-spec) opt 
repository-spec -> (Repository: certificate-list) opt 

derivative-work-code -> 

derivative-op-spec editor-specopt next-copy-rights-specopt 
30 derivative-op-spec -> 
Edit: I 
Extract: I 
Embed: 

editor-spec -> (Editor: certificate-list) 

35 

file-management-code -> 

Backup: backup-copy-rights-specopt 1 
Restore: I 

Verify: verifier-spec opt ' 
40 Folder: I 

Directory: I 
Delete: 

backup-copy-rightS'Spec -> Backup-Copy-Rights: rights-groups-list 
verifier-spec -> (Verifier: certificate-list) 
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configuration-code -> 
install: I 
Uninstall: 

5 

time-spec -> 

(Time: interval-type expiration-specopx ) 
inten/al'type -> 

fixed'inten/al'Spec I 
10 sliding-interval'Spec I 

metered'interval'Spec 
fixed-interval'Spec -> (From: moment-spec ) 
sliding-interval'Spec -> (Interval: interval-spec ) 
metered-interval-speo -> (Metered: interval-spec) 
15 expiration-spec -> {UnXW: moment-spec) 

moment-spec -> date-constant time-of-day-constantopt 
interval-spec -> 

calendar-units-constant I 

time-units-constant I 
20 calendar-units-constant time-units-constant 

fee-spec -> (Fee: ticket-spec I monetary-spec ) 

ticl<et-spec -> (Ticket: (Authority: authority-id) (Type: ticket-id )) 

monetary-spec -> 

25 ( fee-type min-price-specopt max-price-specopt account-spec ) 

fee-type -> 

(Per-Use; money-units )\ 
(Metered: (Rate: money-units ) 

( Per: interval-spec ) (By: interval-spec) opf I 
30 (Best-Price-Under: money-units )\ 

(Call-For-Price: dealer-id ) I 
(Markup: percentage ) 

money-units -> floating-constant (Currency: ISO-Currency-Code )opt 

35 

account-spec -> (To: account-id ) (House: clearing-house-id) opt I 
(From: account-id) (House: clearing-house-id) opt 
min-price-spec -> (Min: (Rate: money-units ) (Per: interval-spec )) 
max-phce-spec -> (Max: (Rate: money-units ) (Per: interval-spec )) 

40 

access-spec -> 

(Access: security-class-specopt 
user -specopt 
source-specopt 
45 destination-specopt ) 



42 



Express Mail No. EG366229809US 



•class-spec -> (Security: s-//sf) 
s-//sf-> S'pairl s-pair s-list 
S'pair'> {s-name: s-value) 
s-name -> literal-constant 
5 s-value -> floating-constant 

user-spec -> (User: autfiorization-spec) 
source-spec -> (Source: authorization-spec) 
destination-spec -> 

(Destination: authorization-spec) 
10 authorization-spec -> 

(Any: certificate-list ) I 

certificate-list -> certificate-spec certificate-listopx 
certificate-spec -> (Certificate: (Authority: authority-id) property-listopt ) 
15 property-list -> property-pair I property-pair property-list 
property-pair -> {property-name: property-value) 
property-name -> literal-constant 
property-value -> string-constant I literal-constant 
I floating-constant I integer-constant 

20 

watermarf(-spec -> watermark-info-list 

watenriari^-info-list -> watermark-str-specopt watermark-info-listopt I 

watenvark-token-specopt watermark-info-listopt I 
25 watenvark-object-specopt watermark-info-listopt 

watermark-str-spec -> (Watermark-Str: watermark-str) 

watenvark-token-spec -> (Watermark-Tokens: watermark-tokens ) 
30 watermark-tokens -> watermark-token watermark-tokensopt 

watermark-token -> all- rights 1 render-rights I 

user-name I user-id I user-location I 
institution-name I institution-id I institution-location I 
render-name I render-id i render-location I render-time 



35 



watermark-object-spec -> (Watemnark-Object: work-id) 
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